12:35 PM -- The press covered it, the user community rejoiced, but what does it actually mean that the author of the first cross-site scripting (XSS) virus was prosecuted? The first ever XSS worm was called Samy after Samy Kamkar, who wrote the worm to test how popular he could be on MySpace by getting users to automatically add him to their friends list.
After infecting a million users with his worm (the largest infection in history) the exploit was finally halted by the administrators. Samy got barely a slap on the wrist by getting three years of probation and a few months of community service.
Still, it was the first XSS exploit that resulted in the arrest of the author. This case was pretty open and shut. Not only was the worm named after Samy, it was designed to get people to add him as their friend. He even went as far as to post on his Website a long explanation of how the worm worked. So we can be very certain that he was in fact the person responsible. However, the way XSS works, it can use other users' browsers against themselves.
That's right, Samy could have been framed. Not that he was framed in this case, but let's assume for a second that some random person on the Internet went to a malicious Website. Their browser could be sent through a cross-site request forgery to post an XSS vulnerability into the target Website. The target Website now contains a persistent exploit that was posted there by someone who may have never even heard of XSS, let alone wrote it. But because their account was the first Website to have the exploit posted to it, they would appear to be the originator of the worm.
XSS brings a unique depth to exploitation. XSS and cross-site request forgeries allow the attacker to turn people's computers against them, as if the browser were a modern day proxy server.